Re: [Jailkit-users] Jail broken after jk_init perl and jk_cp logger

[Dimitri]

On 10/12/20 5:24 pm, Olivier Sessink wrote:

On 10-12-2020 07:42, Dimitri wrote:

On 10/12/20 3:44 pm, Dimitri wrote:

On 10/12/20 3:20 pm, Dimitri wrote:

On 10/12/20 1:08 pm, Dimitri wrote:

Hi and thanks for a great user management tool.

In the process of setting up a git repository using gitolite on my server and following the instructions at https://gitolite.com/gitolite/fool_proof_setup#fool-proof-step-by-step-install-and-setup,  I managed to break the jail of the virtual host which I'm intending to use. (I am using ISPConfig to manage my virtual-hosts.)

During the gitolite install, I found I needed to add Perl to the jail and performed `jk_init -v -f <rootJailFolder> perl`.  However, this did not fix the install script and I needed to add some additional libraries.  My modified [perl] definition, which fixed the issue I was having at this point, is:

[perl]
comment = the perl interpreter and libraries
executables = /usr/bin/perl
directories = /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5, /usr/lib/x86_64-linux-gnu/perl, /usr/lib/x86_64-linux-gnu/perl5, /usr/lib/x86_64-linux-gnu/perl-base

After doing this, I came across another problem where 'logger' was not found, so I added `regularfiles = /usr/bin/logger` to the [perl] definition, but used jk_cp to actually copy it into the jail (which carried with it a lot of dependencies, though it appears that some may have been missed).

On the next run, instead of getting Perl error messages, I received a SEG FAULT.

Subsequent to the SEG FAULT, I have not been able to `chroot` into the jail.

I suspect that either:
    some required files were not copied across when I added `/usr/bin/logger`
    some environment variable definition is missing, or
    there is a folder either missing or has the wrong permissions
which are causing the SEG FAULT.

As I'm only trivially familiar with Perl, I'm not  quite sure where to look and what to do next.  I've tried using DIFF to compare a still working jail (though one without Perl) with the broken jail, but I can't see anything significant yet.  I have also compared `strace chroot <rootJailFolder>` on a working jail with the one that's broken, but again there doesn't seem anything obvious.

I'm wondering if anyone else has had a similar issue and knows how to fix it?  Or, I'm wondering if anyone has suggestions on how to isolate the problem.

(I am able to provide further information/logs/etc. if needed.)

Thanks in advance, Dimitri.

_______________________________________________
Jailkit-users mailing list
Jailkit-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/jailkit-users

Using strace and ltrace, I've noticed that the version of libc.so.6 being referred to in the respective jails is different.
In the working jail, libc.so.6 is a symlink to livc-2.19.so but in the broken jail it's a symlink to libc-2.23.so.

Seems to me I may need to update all the files I have in the broken jail since I did the jk_init and jk_cp using more recent versions.
How can a jail be updated? Is there something similar in Jailkit to `apt-get upgrade`?

I've looked at the libc.so.6 files in each of the jails (working and not working) and they are significantly different.

In the working jail it's a symlink to livc-2.19.so but in the broken jail it's a symlink to libc-2.23.so.

Seems to me I may need to update all the files I have in the broken jail since I did the jk_init and jk_cp using more recent versions.

How can a jail be updated?  Is there something similar in Jailkit to `apt-get upgrade`?

Having done jk_update -j <rootJailFolder>

A large number of files were removed as they were outdated, and others were copied in their place.

Now, instead of the getting the seg fault when I `chroot <rootJailFolder>`, I'm instead being told:

    chroot: failed to run command ‘/bin/bash’: No such file or directory

The error is misleading because /bin/bash is there, and works in the global space.  So it seems that some dependencies were either removed and not updated, or there are dependencies which jk_update is unable to see.

Ok, it appears that jk_update missed updating the following symlink

    /lib64/ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.19.so

which should have been updated to 

    /lib64/ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.23.so

With this link fixed, the jail is working again.

It appears that you managed to fix all problems by yourself.

In general, if your system has a major upgrade (such as a new major libc version), jk_update is probably not going to fix all issues, you usually have to re-create the jail with jk_init. I usually document all my jails in the jk_init.ini so if I have to re-create them two years later it's a single command.

Olivier

-- 
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/

_______________________________________________
Jailkit-users mailing list
Jailkit-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/jailkit-users

Thanks Olivier,  I will need to give some thought to (a) what I installed back then, and (b) how best to document it in a way that I can remember down the road. I never thought I would need to keep the jail updated separately from the base OS.  (In fact, the jail was created under U14 but I'm now running U16.  lol)

The only remaining issues I'm having at the moment, is that whilst the jail is working, (a) when I list directories ( ls -lha ) I see the uid & gid instead of username and groupname, and (b) the user's name in the prompt shows as "I have no name!".

I'm not sure what's causing this as both the global and local passwd and group files have the correct information and permissions.  I'm wondering if this is happening as a result of version conflicts that were caused as part of my addition of Perl to the jail.  I'm doing a DIFF between a working jail and this jail to see if I can spot anything.  Failing that, I might need to rerun jk_init on all the things I've place into the jail.

Cheers, Dimitri.